locked
DirectAccess 2012 + Security concerns RRS feed

  • Question

  • Hello

    I’m about to setup Windows Server 2012 DirectAccess.
    For simplicity I would like to setup DirectAcces in one-nic mode behind a NAT device.

    But I’m having a hard time explaining my network college how we can trust this
    design from a security perspective. They do not want network traffic from WAN
    directly into our company network.

    Also I’m not able to find any detailed documentation about the DirectAcces security
    features that does prevent/restrict unauthenticated traffic to come from WAN to
    LAN. In UAG we had the Forefront TMG. But what security mechanism in Windows
    Sever 2012 protects the DirectAccess server from external untrusted sources.

    Do you still think its most security wise to setup DirectAcces in a two-nic mode with public IP?
    Please let me know if you have any input to the above about Pro and Cons.

    Thanks

    /Jesper

    • Edited by jravn123 Thursday, October 25, 2012 8:12 PM
    Thursday, October 25, 2012 8:09 PM

Answers

  • Hello

    I’m about to setup Windows Server 2012 DirectAccess.
    For simplicity I would like to setup DirectAcces in one-nic mode behind a NAT device.

    But I’m having a hard time explaining my network college how we can trust this
    design from a security perspective. They do not want network traffic from WAN
    directly into our company network.

    Also I’m not able to find any detailed documentation about the DirectAcces security
    features that does prevent/restrict unauthenticated traffic to come from WAN to
    LAN. In UAG we had the Forefront TMG. But what security mechanism in Windows
    Sever 2012 protects the DirectAccess server from external untrusted sources.

    Do you still think its most security wise to setup DirectAcces in a two-nic mode with public IP?
    Please let me know if you have any input to the above about Pro and Cons.

    Thanks

    /Jesper

    Jesper,

    I understand your question. It is hard to explain. Allow me to explain as far as I can.

    First of all. DirectAccess should be considered an extension of your local intranet. Which means you clients will behave the same as they would on your local intranet, only in this scenario they are located on the internet. This is where split-tunneling or force-tunneling comes in the discussion. For that we have to step back and have a look at the security model we are seing these days. Security on firewall level is slowly migrating to endpoint security. Which means security is dealt on the actual client and other endpoints. I don't say you fully need to rely on that, but that is what it is all about. DirectAccess already offers certain security, such as the requirement of a Computer Certificate, domain membership (which mean domain authentication) and so on. DirectAccess also offers NAP (Network Access Protection) on top, which is optional.

    Now from a technical view. In my opinion it is still best practice to configure your DirectAccess Servers with two interfaces, one External Network and one Internal Network interface. Although private IP Addresses with NAT functionality are now supported, please use public IP Addresses if you have that option. Again, just my advice. Now about the traffic. I assume that your network as many others is IPv4 only. DirectAccess Clients work with IPv6 only. Which by default they would not be able to communicate with IPv4 addresses. I am not going into detail about that. But the fact is that for that purpose a so called NAT64/DNS64 service is being used. That works perfect! But, what it causes is that al inbound (or outbound from another view) traffic from DirectAccess Clients to your internal resources are translated with NAT, which means the inbound traffic comes from the internal IP Address of your DirectAccess Server(s). So even if you would use UAG that hosts TMG on top of it. TMG cannot see the difference between your DirectAccess Clients. So for instance, if you would have an additional internal firewall below your DirectAccess Servers, that firewall needs to allow traffic from the internal IP Address (DirectAccess Servers) as the source.

    Of course I can go further in detail about security. I hope this information is useful for you. Let us know if you have any further questions.


    Boudewijn Plomp, BPMi Infrastructure & Security

    Wednesday, October 31, 2012 4:11 PM

All replies

  • If you setup DirectAccess in a one-nic topology, you will not be able to use teredo nor 6to4. Only IPHTTPS will be available. 

    Other than that, I've read that others still prefer the old method. Two-nic topology whereas the external nic is behind a transparent firewall. Mainly because of the additional features you get with this. If you still want to use one-nic, then you could say to the others that you are not sending traffic directly from WAN to the company network.  The firewall only listens to a specific public IP on port 443, and sends that traffic through. 

    Our network administrator hated the idea that you send traffic "directly through to internal network", and basically said that if I can't find another solution to this we will not implement DirectAccess. So I dug deep, and found a solution even he found possible (NOT tested yet, however this should work. Nothing indicates it wont).

    We will only use IPHTTPS. Why? We don't need any of the features you get with teredo. We only want the laptops to be updated at all times and make the employers stop using Dropbox. With that in mind:

    Setup

    One-nic behind NAT -> The traffic goes through the outer firewall, traffic on <public IP>: port 443 to TMG in DMZ -> TMG routes it back to the outer firewall -> into internal network. 






    • Edited by OrPhe0 Monday, October 29, 2012 1:35 PM
    Monday, October 29, 2012 10:03 AM
  • Hello


    Thanks for your feedback.
    I know I can setup a two-leg Forefront TMG (DMZ/LAN) in front of my DA with custom https protocol and publishing rule. I guess that will work.
    But then I also need two of them for failover and the DA setup is being complex again.
    Furthermore Microsoft has not talked about or recommended TMG in any of the news article/blogs for the new DA 2012.
    Also TMG has end of life in the near future. So I still miss a clear statement from Microsoft or anyone else about the new security features in DA 2012 that replaces UAG/TMG.
    I’m also missing some valid security argument/documentation for single nic DA setup I can pass on to my network team.

    Thanks

    /Jesper


    • Edited by jravn123 Tuesday, October 30, 2012 9:05 AM
    Tuesday, October 30, 2012 9:03 AM
  • It's true that TMG will be phased out, so I'll try it with UAG. I guess Microsoft finds that an outer firewall and their own Windows Firewall is enough security, we don't. 

    I don't have enough knowledge around safety and DirectAccess yet, just kicking in some of my thoughts. It would be nice if someone with knowledge and experience around this could write a few words!

    Tuesday, October 30, 2012 10:25 AM
  • Hi,

    Thank you for the post.

    As far as I know, Windows Server 2012 DirectAccess provides the ability to deploy the DirectAccess server behind a NAT device, with support for a single network interface. For more feature information, see this: http://technet.microsoft.com/en-us/library/hh831416.

    Regards,


    Nick Gu - MSFT

    Wednesday, October 31, 2012 6:34 AM
    Moderator
  • Hello Nick

    Not to be rude, but did you actually read my two forum post.
    English is not my first language, so please read them again and let me know if any of my questions is still unclear to you.

    Thanks

    /Jesper
    Wednesday, October 31, 2012 2:51 PM
  • Hello

    I’m about to setup Windows Server 2012 DirectAccess.
    For simplicity I would like to setup DirectAcces in one-nic mode behind a NAT device.

    But I’m having a hard time explaining my network college how we can trust this
    design from a security perspective. They do not want network traffic from WAN
    directly into our company network.

    Also I’m not able to find any detailed documentation about the DirectAcces security
    features that does prevent/restrict unauthenticated traffic to come from WAN to
    LAN. In UAG we had the Forefront TMG. But what security mechanism in Windows
    Sever 2012 protects the DirectAccess server from external untrusted sources.

    Do you still think its most security wise to setup DirectAcces in a two-nic mode with public IP?
    Please let me know if you have any input to the above about Pro and Cons.

    Thanks

    /Jesper

    Jesper,

    I understand your question. It is hard to explain. Allow me to explain as far as I can.

    First of all. DirectAccess should be considered an extension of your local intranet. Which means you clients will behave the same as they would on your local intranet, only in this scenario they are located on the internet. This is where split-tunneling or force-tunneling comes in the discussion. For that we have to step back and have a look at the security model we are seing these days. Security on firewall level is slowly migrating to endpoint security. Which means security is dealt on the actual client and other endpoints. I don't say you fully need to rely on that, but that is what it is all about. DirectAccess already offers certain security, such as the requirement of a Computer Certificate, domain membership (which mean domain authentication) and so on. DirectAccess also offers NAP (Network Access Protection) on top, which is optional.

    Now from a technical view. In my opinion it is still best practice to configure your DirectAccess Servers with two interfaces, one External Network and one Internal Network interface. Although private IP Addresses with NAT functionality are now supported, please use public IP Addresses if you have that option. Again, just my advice. Now about the traffic. I assume that your network as many others is IPv4 only. DirectAccess Clients work with IPv6 only. Which by default they would not be able to communicate with IPv4 addresses. I am not going into detail about that. But the fact is that for that purpose a so called NAT64/DNS64 service is being used. That works perfect! But, what it causes is that al inbound (or outbound from another view) traffic from DirectAccess Clients to your internal resources are translated with NAT, which means the inbound traffic comes from the internal IP Address of your DirectAccess Server(s). So even if you would use UAG that hosts TMG on top of it. TMG cannot see the difference between your DirectAccess Clients. So for instance, if you would have an additional internal firewall below your DirectAccess Servers, that firewall needs to allow traffic from the internal IP Address (DirectAccess Servers) as the source.

    Of course I can go further in detail about security. I hope this information is useful for you. Let us know if you have any further questions.


    Boudewijn Plomp, BPMi Infrastructure & Security

    Wednesday, October 31, 2012 4:11 PM
  • Hey Boudewijn,

    Wouldn't UAG (in DMZ, NOT hosting directaccess, an own DA server is located on the prod network) be able to see the difference between the clients? Would be nice to be able to log traffic, see if there are someone trying to hack into the directaccess server

    Friday, November 2, 2012 7:50 AM
  • Hey Boudewijn,

    Wouldn't UAG (in DMZ, NOT hosting directaccess, an own DA server is located on the prod network) be able to see the difference between the clients? Would be nice to be able to log traffic, see if there are someone trying to hack into the directaccess server


    Yes. Although if you talk about clients/users that connect to a UAG trunk, then UAG can see the difference those clients/users. And even when those clients would have a VPN connection, then they get their own private IP Address from a DHCP pool which are routable to the internal network. But... DirectAccess gives clients IPv6 addresses, which cannot be routed into to the internal network. Therefore, the DirectAccess Server will NAT the traffic with its own internal IP Address.

    Boudewijn Plomp, BPMi Infrastructure & Security

    Friday, November 2, 2012 2:06 PM
  • Cannot be routed into the internal network? So basically what you are saying is that I can't use UAG between the outer firewall and DirectAccess server? 
    Monday, November 5, 2012 8:49 AM
  • Cannot be routed into the internal network? So basically what you are saying is that I can't use UAG between the outer firewall and DirectAccess server? 

    That is another question. You have to reframe your question for me to understand it.

    Bottomline is. DirectAccess Clients use IPv6. Your IPv4 netwerk cannot route IPv6 traffic; unless you implement IPv6 transition technologies or you implement NAT at the DirectAccess Server.

    • DirectAccess uses NAT to acomplisch communication from DirectAccess Clients to your IPv4 intranet. (inbound)
    • DirectAccess uses IPv6 transition technologies (such as ISATAP) to accomplish communication from your IPv4 intranet to your DirectACcess Clients. (outbound)

    Scenario: So... when you have one (UAG) DirectAccesss Server, and a DirectAccess Client connects to a webservers on your local IPv4 intranet. What source IP Address do you think will be seen in the Web Server logging?

    Answer: The internal IP Address of the DirectAccess Server. All because NAT has been applied.

    And... UAG DirectAccess does not allow you to create firewall rules that only allow certain DirectAccess through. It is all or nothing based on source. Keep in mind, you "can" create deny rules for certain internal resources.


    Boudewijn Plomp, BPMi Infrastructure & Security

    Monday, November 5, 2012 9:04 AM
  • Made a quick picture of how I want it to work.

    So here you see - I don't want to be able to route IPv6, just the tunnel that is established between the client and the DirectAccess server. In this way, I'm not directly forwarding from the outer firewall to the DA server. Want to know if this is possible.

    Thanks for clearing that up the scenario by the way, was wondering about that.

    Monday, November 5, 2012 9:23 AM
  • Made a quick picture of how I want it to work.

    So here you see - I don't want to be able to route IPv6, just the tunnel that is established between the client and the DirectAccess server. In this way, I'm not directly forwarding from the outer firewall to the DA server. Want to know if this is possible.

    Thanks for clearing that up the scenario by the way, was wondering about that.

    Ah ok. Different story then jravn123. I got the feeling you want to use this at thome with only one public IP Address available.

    I am not sure if you can get away with all protocols. I don't think IP-HTTPS will work unless you use a Server Publishing Rule for it. There goes you public IP Address. 6to4 can't be used and Teredo also requires a Server Publishing Rule. It depends on many factors. Such as, NAT, 1:1 routing and so on. If this would be a company scenario I would not implement it like this.


    Boudewijn Plomp, BPMi Infrastructure & Security

    Tuesday, November 6, 2012 8:18 AM
  • You wouldn't? How would you implement DirectAccess if you only needed IPHTTPS? I'm going to need a few good pointers to convince our network administrator that forwarding directly to the DirectAccess server from the router (with firewall) is a good solution.

    Thanks btw Boudewijn! Trying to harvest every bit of information that I can gather around DirectAccess :)


    • Edited by OrPhe0 Tuesday, November 6, 2012 9:33 AM
    Tuesday, November 6, 2012 8:51 AM
  • You are welcome. I have to find the answers as well. Sometimes you have to dive very deep.

    I always recommend using one or more DirectAccess Servers with two network interfaces and a firewall in front. If possible I always recommend having public IP Addresses at the internet-facing interface of the DirectAccess Server(s). The firewall in front of it should enable 1:1 routing and only pass through the required protocols. That way you have a good setup and is easier to troubleshoot.

    Unless you don't have public IP Addresses available you can alway use private IP Addresses and/or even one interface. Keep in mind you then need Windows Server 2012.


    Boudewijn Plomp, BPMi Infrastructure & Security

    Tuesday, November 6, 2012 1:39 PM
  • I'm using Windows Server 2012, and want to implement a single-nic setup. Will still be using a public IP and only port 443 will be opened.

    Let's say that I would go for your recommended setup, then is it really secure enough to enable 1:1 routing and pass through the required protocols? By secure I mean not easily hacked and a good enough standard for most companies.

    Tuesday, November 6, 2012 2:53 PM
  • Security cannot be garranteed these days. But I think you are probably better of with two interfaces than one. Just make sure you have a firewall in front. And make sure your clients are healthy.


    Boudewijn Plomp, BPMi Infrastructure & Security

    Tuesday, November 6, 2012 7:04 PM